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ABSTRACT 

We introduce a family of temporal logics to specify the behavior of systems with Zeno 
behaviors. We extend linear-time temporal logic LTL to authorize models admitting Zeno 
sequences of actions and quantitative temporal operators indexed by ordinals replace the 
standard next-time and until future-time operators. Our aim is to control such systems 
by designing controllers that safely work on ^-sequences but interact synchronously 
with the system in order to restrict their behaviors. We show that the satisfiability and 
model-checking for the logics working on w fc -sequences is EXPSPAOE-complete when the 
integers are represented in binary, and PSPACE-complete with a unary representation. 
To do so, we substantially extend standard results about LTL by introducing a new 
class of succinct ordinal automata that can encode the interaction between the different 
quantitative temporal operators. 

Keywords: temporal logic, Zeno behavior, control, physical system. 

1. Introduction 

Control of physical systems. Modelling interaction between a computer system 
and a physical system has to overcome the difficulty of the different time scales. 
For example, reasoning about the connection between the physical description of an 
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Department of Information Science, The University of Tokyo. 



1 



electric circuit and its logical description in VHDL (standard language designed and 
optimized for describing the behavior of digital systems) needs to take into account 
that the two descriptions are dealing with objects running at distinct speeds. The 
speeds can be so different that some abstraction consists in assuming one system 
evolves infinitely quicker than the other one. Another kind of interaction consists 
of controlling a physical system by a computer system. Usually, a physical system 
is modelled by differential equations. Solving those equations can then involve 
computations of limits. For instance, in the bouncing ball example |20j . in a finite 
amount of time an infinite number of actions can be performed. It is a Zeno sequence 
of actions. Similar behaviors have also been considered to solve the car-bee problem 
|2fi| . However, Zeno behaviors are usually excluded from the modelling of real-time 
controllers, which is a reasonable requirement (see e.g. (10j). but also from the 
modelling of the physical systems, see some exception in jS]|3D]. This is a quite 
drastic limitation, since Zeno sequences are often acceptable behaviors for physical 
systems. 

Beyond ^-sequences. Our main motivation in this paper is to model Zeno be- 
haviors and ultimately to control physical systems admitting such behaviors. To do 
so, we introduce a specification logical language that is interpreted on well-ordered 
linear orderings. Reasoning problems based on this logical language should admit 
efficient algorithms, as good as those for standard specification languages as linear- 
time temporal logic LTL, see e.g. ^5]. The w-sequences are already familiar objects 
in model-checking, see e.g. |45| . even though such infinite objects are never manipu- 
lated when model-checking finite-state programs. Indeed, most problems on Biichi 
automata reduce to standard reachability questions on finite graphs. In a similar 
fashion, the behaviors of physical systems are modeled in the paper by sequences 
indexed by countable ordinals (see e.g. 02), i.e. equivalence classes of well-ordered 
linear orderings, even though as we will show most problems will also reduce to 
questions on finite graphs. For instance, the law of movement of the bouncing ball 
is modelled by a set of sequences of length oj 2 . The specification of the ball, i.e. the 
set of acceptable behaviors, is also characterized as a set of sequences of the same 
length uj 2 . On the other hand, the controller is a computer system whose complete 
executions are w-sequences. In this paper, we allow Zeno behaviors of physical sys- 
tems and we will present a specification language working on sequences indexed by 
ordinals greater than the usual first infinite ordinal u>. 

Our contribution. We introduce a class of logics LTL(a) indexed by a countable 
ordinal a closed under addition whose models are sequences of length a. Quanti- 
tative extensions of the standard next-time X and until U operators are considered 
by allowing operators of the form X^ and U' 3 with (3 smaller than a. As shown in 
the paper, for every a < to" , LTL(a) can be viewed as a fragment of the monadic 
second-order theory <) known to be decidable, see e.g. ^Sj- For every k > 1, we 
show that LTL(w fc ) satisfiability is PSPACE-complete with an unary encoding of inte- 
gers and EXPSPACE-complete with a binary encoding. This generalizes non-trivially 
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what is known about LTL. We reduce the satisfiability problem to the non-emptiness 
problem of ordinal automata recognizing transfinite words |12l 1181 1461 1281 ITT] . The 
reduction entails that the satisfiability problem has an elementary complexity (by 
using but does not guarantee the optimal upper bound. We introduce a class 
of succinct ordinal automata of level k, k > 1 in which the LTL(w fe ) formulae can be 
translated into and we prove that the non-emptiness problem is in NLOGSPACE. Suc- 
cinctness allows us to reduce by one exponential the size of the automata obtained 
by translation which provides us the optimal upper bound. Analogous complexity 
results are shown for model checking. Finally, we introduce and motivate a control 
problem with inputs a physical system S modelled by an ordinal automaton work- 
ing on w fc -sequences, and an LTL(aj fe ) formula <f) describing the desirable behaviors 
of the system. The problem we introduce is the existence of a controller C working 
on w-sequences such that all the behaviors of S x C satisfy the property <$>. The syn- 
chronization operation x takes into account the different time scales between S and 
C and the set of synchronization vectors depending on the set of observable actions 
of the controller C. As a by-product of our results, checking whether a controller 
satisfies the above conditions can be done effectively but we leave the question of 
the existence and synthesis of such controllers for future work. 

Related work. Our original motivation in this work is the control of systems with 
legal Zeno behaviors by systems whose complete executions are w-sequences. The 
theory of control of discrete event systems was introduced in In this theory, 
a process is a deterministic non-complete finite automaton over an alphabet of 
events. The control problem consists in, given a process P and a set S of admissible 
behaviors, finding a process Q such that the behaviors of P x Q are in S and such 
that Q reacts to all uncontrollable events and cannot detect unobservable events. 
Extension to specifications from the modal /i-calculus can be found in [3] whereas 
the control of timed systems (without Zeno behaviors) is for instance studied in 0] 
1291 ITU] . It is plausible that the techniques from the above-mentioned works (see 
also [inH 1431 |2j) can be adapted to the control problem we have introduced but 
the technical contribution of this paper is mainly oriented towards satisfiability and 
model-checking issues. 

The logics we have introduced belong to the long tradition of quantitative ver- 
sions of LTL. LTL- like logics having models non isomorphic to to can be found in 
PEOlEniEIlESEli- Temporal operators in the real-time logics from [Tl lSlllSl] are 
indexed by intervals as our logics LTL(a). However, among the above-mentioned 
works, Rohde's thesis 00] contains a LTL-like logic interpreted over a-sequences 
with ordinal a but the temporal operators are simply the standard next-time and 
until operators without any decoration. It is shown in [301 t na * the satisfiability 
problem for such a logic can be decided in exponential-time when the inputs are 
the formula to be tested and the countable ordinal from which the model is built. 
Similarly, in [2] a temporal logic with next-time and sometimes operators but in- 
terpreted over well-founded trees of w-segments is shown decidable by designing a 
cut-free sequent-style calculus. The concept of time gaps in J5| can be put naturally 
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in correspondence with limits for ordinals. No complexity issues are discussed in [5] 
even though the temporal logic with only temporal operator next-time is shown 
equivalent to the famous modal logic S4 interpreted over reflexive and transitive 
Kripke frames and known to be PSPACE-complete. 

In the paper, we follow the automata-based approach for temporal logics from |4"5] 
but we deal with ordinal automata recognizing words of length a for some countable 
ordinal a. So, we extend the reduction from LTL into generalized Biichi automata to 
the reduction from LTL(w fe ) into ordinal automata recognizing words of length oj k . 
Many classes of ordinal automata have been introduced in the literature. In |12II18| 
automata recognizing w fe -sequences for some k > 1 are introduced making essential 
the concept of layer. In I4HI such automata are generalized to recognize a- 
sequences for a countable. Correspondences between these different classes can be 
found in [7|. In the paper, we mainly adopt the definitions from |28|. An elegant and 
powerful extension to automata recognizing words indexed elements from a linear 
ordering can be found in As far as we know, automata recognizing sequences 
of length greater than oj designed to solve verification problems have been first used 
in |25| to model concurrency by limiting the state explosion problem. Similarly, 
timed automata accepting Zeno words are introduced in [5] in order to model phys- 
ical phenomena with convergent executions. The non-emptiness problem for such 
automata is shown to be decidable [Sj. 

As LTL can be viewed as the first-order fragment of monadic second order theory 
over (N, <), theories over (a, <} for some countable ordinal a have been also studied 
by Biichi [T2\, see also ^J[7]. For instance, decidability of monadic second order 
theories over (a, <) for some countable ordinal a is shown in [T5[ . Decidability status 
of elementary theories over countable ordinals have been established in [51 117|. 

Plan of the paper. In Sect. [21 we recall basic definitions about ordinals and 
we introduce a class of linear-time temporal logics parameterized by the length of 
the models. In Sect. 12.41 we show that any logic admitting models of length a 
with a < lu^ is decidable by translation into the decidable monadic second order 
theory (ui", <}. Sect. shows how the class of models of a given formula from a 
logic working on cj fe -sequences (k < u>) can be recognized by an ordinal automa- 
ton. To do so, we substantially extend what is known about LTL with generalized 
Biichi automata. In order to fully characterize the complexity of logics working on 
w fc -sequences (EXPSPACE-completeness or PSPACE-completeness depending on the 
way integers are encoded), in Sect. 0] we introduce a class of succinct ordinal au- 
tomata of level k, extending generalized Biichi automata, and we show that the 
emptiness problem is NLOGSPACE-complete. In Sect. 03 since we have at this point 
all the necessary background, we present the control problem that motivates our 
investigations. We prove that we can decide whether a given controller satisfies the 
properties stated in our logical framework. Sect.Elcontains concluding remarks and 
open problems. 

This paper is a completed version of [22| ■ Full proofs can be found in the technical 
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appendix 



2. Temporal Logics on Transfinite Sequences 

2.1. Ordinals 

We recall basic definitions and properties about ordinals, see e.g. for addi- 
tional material. An ordinal is a totally ordered set which is well ordered, i.e. all its 
non-empty subset have a least element. Order- isomorphic ordinals are considered 
equal. They can be more conveniently defined inductively by: the empty set (writ- 
ten 0) is an ordinal, if a is an ordinal, then a U {a} (written a + 1) is an ordinal 
and, if X is a set of ordinal, then [j aeX a is an ordinal. The ordering is obtained by 
(3 < a iff (3 G a. An ordinal a is a successor ordinal iff there exists an ordinal [3 such 
that a = (3 + 1. An ordinal which is not or a successor ordinal, is a limit ordinal. 
The first limit ordinal is written u>. Addition, multiplication and exponentiation 
can be defined on ordinals inductively: a + = a, a + {j3 + 1) = (a + (3) + 1 and 
a + (3 — sup{a + 7 : 7 < 0} where (3 is a limit ordinal. Multiplication and expo- 
nentiation are defined similarly, eo is the closure of wU{w} under ordinal addition, 
multiplication and exponentiation. By the Cantor Normal Form theorem, for any 
ordinal a < eo, there are unique ordinals f3x, . . . , (3 P , and unique integers n\, . . . , n p 
such that a > (3\ > ■ ■ ■ > (3 P and 

a = uj 131 x m + ■ ■ ■ + clA x n p 

If a < then the /Jj's are integers. 

Whenever a < f3, there is a unique ordinal 7 such that a + 7 = (3. We write 
(3 — a to denote 7. For instance, lo 2 — uj — uj 2 , uj x 3 — lo ~ uj x2 and to 2 — u 3 is not 
defined since ui 3 > ui 2 . 

Given an ordinal a < ui k equal to Lo k ak + • ■ • + oj 1 ai + w°ao, we write sum(a) 
to denote + ■ ■ • + ao, head(a) to denote the maximal i such that a, ^ and 
tail(a) to denote the minimal i such that a, 7^ (assuming a / 0). For instance, 
tail (a + cu n ) = n. 

An ordinal a is said to be closed under addition whenever /3, (3' < a implies 
(3 + (3' < a. For instance, 0, 1, w, uj 2 , to 3 , and u> u are closed under addition. In the 
sequel, we shall consider logics whose models are a-sequences, i.e. mappings of the 
form a — > E for some finite alphabet E and ordinal a closed under addition. 
Lemma 1 For every ordinal a > 1, a is closed under addition iff its Cantor normal 
form is ui 13 for some ordinal [3. 

The proof of Lemma ^ can be found in Appendix 1X1 

2.2. Quantitative Extensions of LTL 

For every ordinal a closed under addition, we introduce the logic LTL(a) whose 
models are precisely sequences of the form a : a — > 2 AP for some countably infinite 
set AP of atomic propositions. The formulae of LTL (a) are defined as follows: 

(j)::=p I ^ I (f>iA<f> 2 I X'V I ^iU^'02, 
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where p € AP, (3 < a and j3' < a. The satisfaction relation is inductively defined 
below where cr is a model for LTL(a) and (3 < a: 

• a,j3 \=piSp 6 a(j3), 

• cr, (3 \= -icj) iff not a, f3 \= <p; a, f3 |= 0i A 02 iff cr, /3 |= 0i and a,j3 \= <f>2, 

• a, (3 \=X '4>i¥Ea,(3 + /3' \= <f>, 

• cr, /3 |= 0iU' 3 02 iff there is 7 < /3' such that cr, /3 + 7 (= 02 and for every 7' < 7, 
cr,/3 + 7 ' h0i- 

Closure under addition of a guarantees that (3 + (3' and j3 + 7 above are strictly 
smaller than a. Moreover, in 0, (3' < a so that for any /3 < a, f3 + f3' < a. 
By contrast, in 0iU' 3 02, /?' < a (not necessarily strictly) because satisfaction of 
cr, /3 |= 01U 13 02 implies the existence of some 7 (satisfying some conditions) that is 
already strictly less than (3' . The models of G LTL(a) are defined as elements 
of the set Mod(0) = {a : a, |= 0}. is said to be LTL(a)-satisfiable whenever 
Mod(0) is non-empty. 

The operator X@ is a natural generalization of the next-time operator from linear- 
time temporal logic LTL that allows to perform a jump of fixed length f3. Similarly, 
the operator IF is a natural generalization of the until operator from LTL. We 
extend the standard abbreviations as follows: F^0 = f TU /3 and G^0 = ^F /3 ^0. 

The logic LTL(l) is equivalent to the prepositional calculus since 0iU°02 is 
equivalent to _L, 0iU 1 02 is equivalent to 02, and X°0 is equivalent to 0. LTL is 
expressively equivalent to LTL(cj): the operators X™ and U n for n > 0, and U w can 
be simply expressed with the LTL operators X and U. However, LTL(w) is more 
succinct than LTL if the natural numbers are encoded with a binary representation 
(see Lemma |£) • 

Actually in order to study the decidability/complexity of LTL (a), we restrict 
ourselves to countable limit ordinals a so that the set of formulae is itself countable. 
Furthermore, for studying complexity issues, it is necessary to specify the encoding 
of the ordinals (3 < a occurring in LTL(a) formulae. In the sequel, we use Cantor 
normal form to encode ordinals 1 < f3 < u", and the natural numbers occurring in 
such normal forms are represented in binary. 

We provide below properties dealing with limit states that can be easily ex- 
pressed in LTL(a/) (k > 2) 

1. "p holds in the states indexed by limit ordinals strictly less than w fe ": 

G wfc (X>A--- AX^V)- 

2. For 1 < k' < k — 2, "if p holds infinitely often in states indexed by ordinals of 
the form uj k x n, n > 1, then q holds in the state indexed by u k 

fc' + l k' + l k' , , fc' + l , 

(G w F u X" p) (X w q). 

2.3. Model- checking 
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The mo del- checking checking for LTL(a) is defined as a natural extension of the 
problem for LTL (its existential version) where the labelled transition systems are 
replaced by automata recognizing a-sequences (see Definition^. 

Model- checking problem for LTL(a): 

input : An ordinal automaton A with finite alphabet a subset of 2 AP (see Sect. 13. ll 
for a definition) and an LTL (a) formula <f>. 

question: Is there an a-sequence a accepted by A such that er, |= 4>1 

This is the existential version of model-checking (easier to relate with the sat- 
isfiability problem). The universal variant of the problem asks whether for all the 
a-sequences a accepted by A, we have a, \= <j>. 

By standard arguments in computational complexity about deterministic classes 
and since LTL (a) is closed under negation, the complexity results for the existential 
variant of model checking about PSPACE-completeness and EXPSPACE-completeness, 
holds also true for the universal variant. Moreover, it is worth observing that in 
ordinal automata the labels are on one-step transitions and not on states as in 
standard Kripke structures usually used for stating LTL model checking. However, 
this is a superficial difference. 

2.4- A N on- elementary Decision Procedure 

Given LTL(a) models a, a', we write a a 1 for some a' < a whenever for 
every (3 < a', ct(/3) = <j'{(3). Hence ~ a is exactly the equality relation between 
LTL(a) models. Given a LTL(a) formula <j), we write exp(^) to denote either a if 
a occurs in <fi or the smallest ordinal of the form u!@ such that for every ordinal f3' 
occurring in <f>, (3' < lu 13 . 

Lemma 2 Let a be an ordinal closed under addition and <j> be an LTL(a) formula. 
If a £ Mod(0) and a « C x P (0) o" , then a' G Mod(0). 

The proof of Lemma [21 is by an easy verification by observing that <p does not 
constraint states on positions greater than exp(0). 
Proposition 1 Satisfiability for LTL(w"), < a < uj, is decidable. 

The proof of Proposition^ can be found in Appendix IBI and it provides a non- 
elementary complexity upper bound (a consequence of [35|). Furthermore, unlike 
the translation for LTL into the first-order theory of (u>, <), the above translation 
makes a substantial use of second-order quantification. A translation into first-order 
logic has been found recently ^1] but whether LTL(w") has an elementary bound 
is still open. In the sequel, we considerably improve the bound for logics LTL(w fc ), 
k G N \ {0}, by using an automata-based approach. 

3. Automata-based Approach 

In this section, we show how to construct an ordinal automaton A$ such that 
its set of accepted words is precisely the models of <f>, extending the approach for 
LTL from 45]. In the rest of this section, <j) £ LTL(w fe ) for some k > 1. 
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3.1. Ordinal Automata 



We define ordinal automata as a generalization of Muller automata. 
Definition 1 (Ordinal Automaton) An ordinal automaton is a tuple 
(Q, S, S, E, I, F) where: 

• Q is a finite set of states, £ is a finite alphabet, 

• 5 C Q x £ x Q is a one-step transition relation, 

• E C 2® x Q is a limit transition relation, 

• I C Q is a finite set of initial states, F C Q is a finite set of final states. 

We write q — > whenever (g, a, g') £ <5 and q — > g' iff q — > for some a £ £. A 
path of length a + 1 is a map r : a + 1 — > Q such that 

• for every /3 G a, r(/3) — » r(/? + 1), 

• for every limit ordinal @ < a, there is P — > r(/3) G -E s.t. P = inf{(3, r) with 

inf(f3, r) = {qeQ: for every 7 G /3, there is 7' such that 
7 < 7' < /3 and r(j') = q}. 

A run of length a + 1 is a path of length a + 1 such that r(0) £ I. If r(a) £ F 
then r is said to be accepting. The set of sequences recognized by the automaton 
A, denoted by L(„4), is the set of a-sequences a : a — > S for which there is an 

accepting run r of length a + 1 verifying for every /3 £ a, r((3) -^—^ r(/3 + 1). 

Ordinal automata from Definition ^ are those defined in . They are also 
exactly the P'-automata from [7| page 35], a variant of Wojciechowski's automata 
with no letter on limit transitions. The equivalence between these two formalisms 
is shown in (7J Sect. 2.5]. In |151 Def. 17], a similar notion is introduced and 
it is generalized in to automata recognizing sequences over scattered linear 
orderings. 

Example. We present below an example of ordinal automaton A with limit 

transitions {0} — > 1 and {0, 1} — ► 2. 

a 

It is not difficult to show that L(A) contains only w 2 -sequences and L(A) = (a^-b)^. 

3.2. Synchronous Product 

We define below the synchronous product of two ordinal automata w.r.t. a syn- 
chronization alphabet. The purpose of this definition is to state the control problem 
in Section[5J Given two ordinal automata Ai — (Qi, Sj, <5j, E^, Ii, Pj), for i = 1,2, 
their synchronous product with respect to the set X of synchronization vectors 
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in Ei x S 2 x S (S is a third arbitrary alphabet) is defined as the automaton 
Ai x x A 2 = (Q, E, 5, E, I, F) where: 

• Q = Qi x Q2- 

• (QI1Q2) -—^ Wiil^) G £ iff there is (a,b,c) G X such that q\ — > G <5i, and 
92 -> 92 e <*2- 

• P — > (91, 52) G -B iff there exist Pi — > gi G Pi and P2 — > 92 G P2 such that 
{q ■ (q, q') G P} = Pi and {q' : (g, g') G P} = P 2 . 

• I = J x x h, F = F X x P 2 . 

By default, we write _4i x .A2 instead of A\ XidAz for the synchronized product 
with Si = £ 2 = E and ID = {(a, a, a) : a G £}. 

Proposition 2 Let A\ and Ai be ordinal automata over the alphabet E = £1 = £2- 
We have L(Ai) n L(_4 2 ) = L(-4i x -4 2 )- 

5.5. Hintikka Sequences 

We define below a notion of closure which generalizes the Fischer-Ladner clo- 
sure 

Definition 2 (Closure) TTie closure of <f>, denoted by cl((f>), is the smallest set of 
LTL(cj fc ) formulae such that 

• ±,<j>ed(<p), 

• -tip G cl(4>) implies ip G cl{4>), 

• ip G cZ(0) implies -<ip G cZ(0) fwe identify -i-itp with tp), 

• ipi A V>2 G cZ(0) implies tpi, ip2 G cl(<p), 

• X^ip G cZ(0) and (3>u n (0 < n < k) imply Jp-^ip G d(0), 

• ip^^ipi G cZ(0) and /3 > a;™ (0 < n < k) imply the formulae below belong to 
cl{4>): fa, V> 2 , X-"(^iU^— > 2 ), TU-"^i, ViU"> 2 - 

It is not difficult to show that the notion of closure introduced above generalizes 
what is done for LTL. 

Lemma 3 Let <p be an LTL(w /c ) formula for some k > 1. 

(I) There exists a polynomial such that card(cZ(0)) is in 2°^^^ [resp. card(cZ(0)) 

is in 0(p(\(p\))J when integers are encoded in binary [resp. in unary]. 

(II) For all YiPtp G cl(<p) and 7 < /3, X^-t^ € cl((p). 

(III) For all ipi^fa G cl(<p) and 7 < /?, ViU' 3 " 7 ^ G d(0). 

From a formula 0, we build an ordinal automata A</, such that L(A<p) is precisely 
the set of LTL(w fc ) models satisfying (p. Following the states of A$ are subsets 
of cl(cp) containing formulae to be satisfied in the future, including the current 
position. Hence, cl(<p) is built in such a way that if either q' — > q or P — > q are 
transitions in A^, then all the formulae to be satisfied in q depending on q' and P 
are part of cl(<p). 
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Definition 3 A set X C cl(4>) is said to be locally maximally consistent with respect 
to (f> iff it satisfies the conditions below: 

(mcl) 1^1, 

(mc2) for every ip E cl{<p), ip G X iff -iip £ X, 

(mc3) for every ipi A tp 2 G cl{4>), ipi A ip 2 G -X' if ^i,ifce -X, 

(mc4) /or even/ X> e cZ(<£), G X iff tp e X, 

(mc5) /or eijery t^U ?/^ G cZ(0), V'iU ?/^ X, 

(mc6) for all ip^ 13 ^ G cZ(0) and (3 > uj n > 1, ip^fa G X iff either ip^" ip 2 G X 

or -i(Tr"^i),X u "(^iU' 3 - u '>2) G X, 

(mc7) /or a?/-0iU /3 V'2,i/'iU /3 V2 G cZ(0) with P < /3' , ^1^2 G X implies ipxU 13 ' ip 2 G 

(mc8) /or eijery tAiU 1 ^ G cZ (</>), V^U 1 ^ & X iff ip 2 E X . 

Although all these conditions are used in the forthcoming proofs, at the moment 
we ignore whether Condition (mc7) is a consequence of the other conditions. We 
denote by maxcons(<p) the set of locally maximally consistent subsets of cl{<p). 

For standard LTL, an Hintikka sequence p for a formula <j> is an w-sequence of sets 
of subformulae of (p such that </> is satisfiable iff <j> has an Hintikka sequence. Local 
conditions in p between two successive elements of the sequence are easy to handle 
in Biichi automata with the transition relation. The only global condition, stating 
that if ipi~Uip 2 occurs in the sequence, then some future element in the sequence 
contains tp 2 , is handled by the Biichi acceptance condition. Sometimes the non- 
uniform treatment between local conditions and the global condition is the source 
of confusion. The Hintikka sequences defined below arc based on a similar principle 
except that we can extend advantageously the notion of locality. The Hintikka 
sequences p are of the form p : uj k — > 2 cl ^\ Encoding conditions between p(/3) and 
p(/3 + 1) can be performed by one-step transitions in ordinal automata. However, 
the presence of limit transitions allows us also to admit conditions between p{(3) and 
p(J3 + uj n ) with < n' < k. Hence, the global condition in Hintikka sequences of 
LTL formulae is replaced by a condition between p(/3) and p(/3 + u>). For transfinite 
sequences, the local and global conditions can be treated uniformly. 
Definition 4 (Hintikka Sequence) An Hintikka sequence for $ is a sequence p : 
uj k -> 2 c/ <^ such that 

(hinl) G p(0), 

(hin2) for every (3 < iv k , p([3) G maxcons{(p) , 

(hin3) for all /3 < uj k , JL^'ip G cl(<j>) andO<n' <k such that (3' > oj n ' , X f3 ' ip E p{f3) 
iff^'-^'i } &p{(3 + uj n '), 

(hin4) for all (3 < u k and ipiV fi ' %p 2 G cl{4>), (A) ip^' ip 2 G p((3) iff (B) there is 
/3</3"<P + /3' such that ip 2 G p{(3") and for every (3 < 7 < (3", V>i G p(j). 
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Given a model o : ui k — » 2 AP and <j> an LTL(w /c ) formula, we write seq(a, </>) 
to denote the sequence seq(a,4>) : uj k — > 2 c/( ^ such that for every (3 < uj k , 

Lemma 4 Let a be a model such that <r, \= 4>. Then seq{a,4>) is an Hintikka 
sequence for (j). 

The proof is by an easy verification. 
Lemma 5 Let <f> be a formula and p : uj k — > 2 cl ^ be an Hintikka sequence. For 
every [3 < tu k , for every £ cl((f>), ip € p({3) iff o~, (3 \= ip where a : uj k — > 2 AP with 
o-(f3)=APn P ([3). 

The proof of Lemma |3] can be found in Appendix |C| As a consequence of 
Lemma 0] and Lemma El we obtain the following proposition. 
Proposition 3 <f> is LTL(o;' c ) satisfiable iff 4 s has an Hintikka sequence. 

3.4- Automaton Construction 

We build an ordinal automaton A<j, that recognizes only words of length oj k 
over the alphabet 2 AP (assuming that AP is the finite set of atomic propositions 
occurring in </>). 

As the automata built from LTL formulae, states of A$ are locally maximally 
consistent sets. Each formula in a state has to be satisfied at the current position and 
this induces requirements for the future states of the run. Typically, if X 1 ^ belongs 
to some state, then the next state obtained by a one-step transition should contain 
the subformula ip. However, the states in A<j, are also made of some n G {0, ...,&} in 
order to remember the tail of the position of the state in the run. This stratification 
of states is useful for defining limit transitions and this is possible only because k 
is strictly less than uj. 

The automaton A<$> — (Q, S, S, E, I, F) is defined as follows: 

• S = 2 AP , Q = maxcons(<f)) x {0, . . . , fc}, 

• / = {(X, 0} e Q : (j) £ X}, F = {(X, n)eQ:n = k}, 

• (X,n) A (X',n') £ S iff (one-step transition) 

(Al) n < k and n' = 0, 
(A2) X n AP = a, 

(A3) for every G cl(<f>) such that (3 > 1, G X iff X^V G X'. 

• In order to define E, we introduce preliminary definitions. For every ^iU^i/^ G 
cl(<fi), we write -P^uf^ to denote the set below: 

{(X,n) : either V2 G X or -.(-^lU^) € X}. 

For every (X, n) £ Q we write Q(x.n) to denote the subset of Q such that for 
every (X',n') £ Q, (X',n') £ Q {x , n ) ^ 

(A4) n' < n, 



11 



(A5) for every J. a ip G d(</>) with a > uj n , X a ip e X' iff X Q -""V € X. 

For every (X, n) eQ, Z —> {X, n) £ E iff 

(A6) n > 1, 
(A7) ZCQ M , 

(A8) Z contains a state of the form (Y, n — 1), 

(A9) for all ViU'Vs £ c/(0) and (i > uj n such that -n(V>iU /3 -"" ^ 2 ) e X, 
P^u^ n Z ^ 0. 

For LTL(cj), the above construction roughly corresponds to the Muller automa- 
ton obtained from the generalized Biichi automaton for the LTL formula <f>. 

A state (X, n) G Q is said to be of level n. Because of the strict discipline on 
levels in A^ it is not difficult to show the following result. 

Lemma 6 Let r : oj k + 1 — > Q be a run of A$. For every a < us k + 1, r(a) is of 
level tail{a). 

It remains to prove the main lemma whose proof requires some careful analy- 
sis. Indeed, it is the place where the conditions of the form (mc*) and (A*) are 
technically justified. 

Lemma 7 Mod(<^>) is non-empty iffh(A^) is non-empty. 

The proof of Lemma can be found in Appendix [D] The automaton A<f, has 

2 2 states and 2 2 transitions. By |16l Proposition 6], the emptiness prob- 
lem for ordinal automata is in P. So checking whether A^ accepts at least one word 
can be done in triple exponential time, which provides an elementary bound but 
not optimal as shown in Section 0] 

Proposition 4 L(A^) = Mod(^). 

Even though LTL(w") is decidable (by translation into the monadic second-order 
theory of w u ), the proof of LemmaHcannot be extended to LTL(w"). Indeed, by 
Sect. 8] (see also [2H1 Theorem 5.6]), there is no ordinal automaton accepting the 
language {a a } for any countable ordinal a greater than or equal to w". However, 
for LTL(lj") it is open whether there exists a systematic construction of automata 
from formulae that allows to state a result as Lemma (only equivalence of non- 
emptiness is required). 

4. Computational Complexity 

In this section, we show complexity results about satisfiability of LTL(cj fe ). 

4.1. EXPSPACE-hardness 

Lemma |S] below states that although LTL and LTL(w) are expressively equiva- 
lent, LTL(w) is more concise than LTL mainly because X n p is exponentially more 

n times 

succinct than X ■ • • X p when n is encoded in binary. 
Lemma 8 Satisfiability for LTL(w) is EXPSPACE-complete. 
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Lemma [8] seems to contradict that LTL satisfiability is only PSPACE-complete 
but X 2 "p can be represented with only 0(n) bits. We prove the EXPSPACE-hardness 
since it will be used also for characterizing the complexity of LTL(w w ). The proof 
is an adaptation of the proof of fZ7\ Theorem 4.7] showing the PSPACE-hardness 
of LTL by reducing a PSPACE-complete tiling problem. In the case the natural 
numbers are encoded in unary in LTL(w), we regain the PSPACE-completeness (see 
e.g. Sectional). The proof of Lemma |H1 can be found in Appendix [EJ 

As a consequence of Lemma El we obtain the following lower bound. 
Theorem 1 For every ordinal a > 1, satisfiability for LTL(w Q ) is EXPSPACE-hard. 

4-2. Succinct Ordinal Automata of Level k 

In order to refine the complexity result from Sect. 13 we define below specialized 
ordinal automata that recognize w fc -sequences. Similar automata can be found in 
the literature, see e.g. |18U28l l7|. The main merit of the definition below is to allow 
easy manipulation in the forthcoming proofs. 

Definition 5 (Ordinal Automaton of Level k) An ordinal automaton 

A = (Q, E, 6, E, I, F) is said to be of level k > 1 iff there is a map I : Q — > {0, . . . , k} 
such that 

• for every q G F, l(q) = k; 

• <Z — > G <5 implies l(q') — and l(q) < k; 

• P — > q G E implies 

1. l(q) > 1, 

2. for every q' G P, l(q') < l(q), 

3. there is q' G P such that l(q') = l(q) — 1. 

Hence, there is a partition of Q of size k + 1 such that if P — > q G E, then 
max{l(q') : q 1 G P} + 1 = l(q). Below, an ordinal automaton of level k is denoted 
by (Q,'£,5,E,I,F,l) where I is the level function. Each set of states having the 
same level corresponds to a layer in Choueka's automata |18j . The automaton built 
in Section |21 is of level k when the input formula is in LTL(oj k ). However, A$ is 
of triple [resp. double] exponential size in \<f>\ when integer are encoded in binary 
[resp. unary] which is still too much to characterize accurately the complexity of 
LTL(w' £ ) satisfiability. That is why, we introduce below a special class of ordinal 
automata which can represent succinctly an exponential amount of limit transitions 
as the generalized Biichi automata can be viewed as a succinct representation of 
Muller automata. Hence, we shall construct A 1 , such that L(^) = L(^), and A'^ 
is "only" of double [resp. simple] exponential size in \<j)\ when integers are encoded 
in binary [resp. unary]. 

Definition 6 (p(-)-Succinct Ordinal Automaton of Level k) Given 
a polynomial p(-), a p{-)-succinct ordinal automaton of level k is a structure A = 
(Q, E, J, E, I, F, I) defined as an ordinal automaton of level k except that E is a set 
of tuples of the form (Pq, Pi, . . . , P n , q) with n > 0, q G Q and Pq, . . . , P n C Q such 
that 



13 



• (P , Pi,...,P n ,q) EE implies 

1. 1 < l(q) < k, 

2. each state in Pq is of level l(q) — 1, 

3. each state in P\ U • • • U P n is of level less than l(q) — 1, 

4. n<p(\Q\), 

• for every state q of level strictly more than 0, there is at most one tuple in E 
of the form (P , P u . . . , P„, q) . 

Each tuple (Po, Pi, ■ ■ . ,P n , q) encodes succinctly the set of limit transitions 
trans{{P a ,P l ,...,P n ,q)) = 

{P -> q : P C Q, V i Pi P + and Vg' G P, l(q') < l(q)}. 

Below, given a p(-)-succinct ordinal automaton A of level fc, we write A° to denote 
the ordinal automaton of level k {Q, £, (5, E' , /, F, I) with E 1 = [j teE transit). The 
language recognized by A is defined as the language recognized by A°. In that way, 
a p(-)-succinct ordinal automaton of level k is simply a succinct encoding of some 
ordinal automaton of level k. An important property of such automata rests on the 
fact that the size of E is in C(|Q| 2 x p(|Q|)). By contrast, in an ordinary ordinal 
automaton of level k, the cardinality of the set of limit transitions can be in the 
worst case exponential in \Q\. 

The automaton A§ from Section 13.41 can be viewed as a po(')~ succ i nc t ordinal 
automaton of level k with po(x) = x. Indeed, let A\ be the po(')" succmct ordinal 
automaton of level k defined as A^ with l((X, n)) = n and (Po, Pi, ... , P m , {X, n}} G 
E iff 

• n > 1, 

• Po U • • • U P m C Q/x,n) ( see the definition of Q/x,n) m Section . 

• P) = Q{x,n) n {(Y : n') G Q : n' = n - 1}. 

• Let us pose Z = {^iU' 3 ^ G d(^) : ^iV -"" ip 2 ) eXJ> oj n }. We have 
\Z\ = m and for every !f£2, {(X,n) : either ^2 € X or -.(^lU^Vto) G X} G 

{P!,...,P m } With V = VlU^- 

It remains to check that m < \Q\ (because of Po('))- It is sufficient to observe 
that m < \cl(<f>)\ and |Q| is in 0(2l c ^l). 

It is not difficult to show the following lemma: 
Lemma 9 

(I) L(^)=L(^). 

(II) In the unary [resp. binary] case, AL is of size exponential [resp. doubly ex- 
ponential] in \<j)\ and requires only polynomial [resp. exponential] space to be 
built. 
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4- 3. Key Properties to Test N on- emptiness 

In this section, we establish a few properties about runs in ordinal automata of 
level k. 

Lemma 10 Let A be an automata of level k and r be a run of length a + 1 with 
normal form [3 + uf x n, n > 1. Then l(r(f3 + uj 1 x n)) = i. 

The proof is by an easy verification (induction on i). Lemma 1101 is a slight 
generalization of Lemma As a consequence, we obtain the following lemma. 
Lemma 11 Let A be an automaton of level k. Then, its accepting runs are of 
length ui k . 

Lemma IT21 below is the key property to obtain the NLOGSPACE upper bound for 
the non-emptiness problem of ordinal automata of level fc, even in their succinct 
versions. It generalizes substantially the property that entails that the graph acces- 
sibility problem and the non-emptiness problem for generalized Biichi automata can 
be solved in non-deterministic logarithmic space. A Biichi automaton (Q, E, S, I, F) 

accepts a non-empty language iff there exists a path go — * Qf — * If such that qo G I, 
qt G F, n < \Q\ and 1 < n' < \Q\. As usual, two states are in the relation A if there 
is a path of length i between them. Similarly, a Muller automaton (Q,E,(S, J, J-) 
accepts a non-empty language iff there exists a path q — > qi — > q 2 — > • • ■ — > q n i such 
that qo G /, qi = q n i , {q\, . . . , q n >} G T and n' < \Q\ 2 . Lemma IT21 allows to gener- 
alize what is known about automata recognizing w-sequences: L(*4) is non-empty 
iff A has an accepting run composed of a prefix followed by a loop with bounded 
length. 

Lemma 12 Let A be an automaton of level k and r be a run of length uj k + 1 for 
some 1 < k' < k. Then, there is a run r' of length uj k + 1 such that 

• r '(0) = r(0) and r'(uj k ') = r(u k '), 

• there are K < \Q\ and K 1 < \Q\ 2 such that for every a > ui k _1 x K such that 
the normal form of a is to k _1 x n + [3, r'(a) = r'(ui k _1 x (n + K') + (3). 

The proof of Lemma IT51 can be found in Appendix IfI 

A consequence of LemmaElis that an automaton A = (Q, E, S, E, L, F, I) of level 
k accepts a non-empty language iff there exists a run r : w k ~ 1 x (K + K') + 1 — > Q 
for some K < \Q\ and K' < \Q\ 2 such that r^- 1 x K) = r(uj k - 1 x (K + K')) and 

{r(f3) : uj k - x x K < [3 < uo^ 1 x (K + K')} -» q f G E 

for some state qf of level k. 

More precisely, by taking k' = k in Lemma the automaton A accepts a non- 
empty language iff there are K < \Q\ and K' < \Q\ 2 and q°, . . . , qQ +K ' ,q%+*' 
(these are landmark states of a run) such that 

(level ) <7oj ■ • ■ > 1o +K are °^ ^ eve l ^ an ^ 9o ^ 

(levelfc_i) qjf+X' are of level k - 1 and q%_ x = q^+f ■ 
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(subruns) for every < i < K + K', there is a path j-j : ui k 1 + 1 — > Q such that 
r i(0) = 9o and r^(wjf ) = q\_ v Each is part of a run from (uj k ~ 1 xi) + l 
to cj fc_1 X (i + 1). 

(k - 1 -> 0) for every <i < K + K', q{_ x -> gj +x . 

(last-transition) {r<(/3) : K < i < K + K' ,0 < (3 < w fc-1 } -> q f e E for some 
state g/ of level fc. 

Existence of the runs ro , . . . , tk+k 1 above leads to the existence of an accepting run 
of length uj k + 1 as described below: 

prefix of length u k ~ 1 xK 



Qo ■ ■ ■ Qk-i - > ll ■ ■ ■ Qk-i 1o ■■■ Qk-i 



loop of length ui k 1 y. K' 



i k K -\ K '- 1 ^tf +K '-<£- + f) 



In Condition (subruns), the existence of can be expressed recursively in a 
similar fashion on which is based the forthcoming algorithm to test non-emptiness. 
Even though is it obvious to see how the algorithm can work recursively, we have 
decided to provide the pseudo-code of the algorithm to underline some of its delicate 
aspects (in particular to get the proper amount of used space) . 

It is worth observing that Lemma lT^l also holds for p(-)-succinct ordinal automata 
of level k since they form a special subclass of ordinal automata of level k. The 
succinctness of the representation of the set of limit transitions plays no role in 
Lemma l"H?l 

4-4- An Optimal Algorithm to Test Non-emptiness 

As seen earlier, non-emptiness is equivalent to the existence of some landmark 
states <7q, q^._i, ■ ■ • , <7q , StJi satisfying the five above-mentioned conditions. In 
order to test non-emptiness of the language recognized by an automaton of level k, 
we introduce a function acc(q, q') (see Fig. ^| that returns T iff there is a path r 
of length w l ( q ) + 1 such that r(0) = q and r(uj l ( q ') — q'. We design the following 
non-deterministic algorithm: 

Non-empty? (A) 

Guess 506/ and qf £ F; 

acc(q ,q f ). 

Non-determinism is also present in the definition of acc(qo,qf). A few global 
variables are used. 

• The variables InLoopj, . . . , InLoop fc are Boolean. Each variable InLoop i is 
equal to true iff the algorithm is guessing the periodic part of a run of length 
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uj 1 (which itself can belong to the periodic part of ui J for some j > i). In 
particular, InLoop fc is equal to true if the algorithm is building the periodic 
part of the global run, i.e. in the part Tk+x , • • • > tk+k 1 according to the 
notations of Sect. 14.31 In that case, every state in the run from q to q' has 
to be recorded in order to be also able to fire the last limit transition (see 
Condition (last-transition) in Sect. 14. 3} . 

• Moreover, for every i 6 {l,...,fe}, the variable fi contains the address of 
the occurrence of a state in the left part of a rule P — » q" with l(q") = i: 
0{k x /og|„4|) bits are needed in total. 

Remember that A is encoded as a string and the address of the occurrence of 
a state is simply a position in that string, which requires only 0{log\A\) bits. The 
variable |i is updated when the state whose address is f i is detected in the periodic 
part of the run. 

In the definition of acc(q, q'), in order to test whether there is a path r of length 
W H« ) _|_ i guch that l(q') > 1, r(0) = q and r(ui l ( q ') = q' , Lemma IT21 guarantees 
that the periodic part of r is of length at most u l ^ q x |<5| 2 and the prefix is 
of length at most Lo l ^ q ) _1 x \Q\. This explains the two main loops of acc(q,q'). 
The two "for" loops guess respectively the prefix and the period. Observe that the 
iteration variable i is only used to guarantee that the lengths of the subruns are 
correct. When a state t is guessed in the periodic part of the global run, one has to 
check that t indeed belongs to rules of the form P — > q" with l{q") > l(qt) and one 
updates the variables |j since t has been detected (see Fig. |2J. 
Lemma 13 Non-empty?(A) = T tffL(A) ^ 0. 

Let us briefly analyze the complexity of the algorithm. Global variables require 
Oik x Zog|„4|) space and the recursive depth is at most k. By passing the variables 
by reference, the whole algorithm requires space 0(k x log\A\). 

As a consequence we obtain the following theorem. 
Theorem 2 For every k > 0, the non- emptiness problem for ordinal automata of 
level k is NLOGSPACE-complete. 

It is worth observing that as a corollary of |lfi| . the non-emptiness problem 
for ordinal automata is in P. Herein, we refine this result for a subclass of ordinal 
automata: for every k > 1, the non-emptiness problem for ordinal automata of level 
k is in NLOGSPACE. However, our algorithm runs in time 0(|„4| 2xfc ): in order to 
save space, we do not keep in memory the outcomes of previous accessibility checks 
(similarly to the proof establishing that logarithmic reductions are closed under 
composition). It is open whether the non-emptiness problem for ordinal automata 
of level k for some k > is P-hard (k is not fixed). 

Corollary 1 The non- emptiness problem for Muller automata (k — \) is NLOGSPACE- 
complete. 

The NLOGSPACE upper bound is a consequence of Theorem[2]and the NLOGSPACE 
lower bound can be obtained by reducing the graph accessibility problem. 
Corollary 2 For all k > and polynomial p(-), the non-emptiness problem for 
p(-)-succinct ordinal automata of level k is NLOGSPACE-complete. 
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acc(q,q') (l(q') < k, l(q) = 0) 

k' := l(q>) - 1; 
If k' > then 

(initial-guesses) 

- InLoop fe , +1 := false; 

- Guess a rule P — > q'; 

- tfc'+i takes the value of the address of the first state in P; 

- Guess K < \Q\ and if < |Q| 2 ; 

(*) qo := q; 

(guess-prefix) For i = 1 to K do 

- Guess qfe' 6 P of level 

- Chcck&Update(qfc/); 

- If acc(qo, q/c') then guess qo such that /(qo) = and q^ — > q other- 
wise abort; 

(★) If q^ peat := qfe' (forthcoming repeating state); 

(*) InLoop fe , +1 = true; 

(★) Guess qfe' e P of level fc'; 

(*) Chcck&Update (qo ) ; Check& Update (qfe' ) ; 

(guess-period) For i = 1 to K' do 

If acc(qo,qfc') then 

- Guess qo such that Z(qo) = and qfe' — > q ; 

- q^ x := q fc S 

- Guess qfe' G P of level fc'; 

- If i / if' (not the last dummy guess) then 
(Check&Update (q ) ; Check& Update (q fc ' ) ) ; 

otherwise abort; 

(final-check) If one of the conditions below fails then abort otherwise 
accept 

(CI) tfe'+i7^ nil (some state in P has not been visited), 

(C2) q^" x ^ q^ peat (wrong choice of the repeating state of level k') 

otherwise if q — > q' then accept otherwise abort. 



Figure 1: Accessibility function 
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Check&Update(g) 
For 1 < i < k do 

(q is desirable) If InLoop,j = true and ti contains the address of an occur- 
rence of q in the left part of a rule then f i takes the value of the next 
state in the rule or nil if there is no such a remaining state; 

(q is undesirable) If InLoop^ = true and l(q) < i — 1 and q does not occur 
in the left part of the rule that is currently pointed by |i then abort, 
(one needs another variable to visit the states in the left part of that 
rule) 

accept. 



Figure 2: Update of the variables fjS 

Indeed, for ordinary ordinal automata, rules P — > q' in E are guessed (see Fig.^) 
whereas for p(-)-succinct ordinal automata of level k 7 we guess which element for 
each Pi occurring in P$, . . . ,P m — > q' is repeated infinitely often. So we guess 
qo, . ■ ■ , q m — > q' and contains the address of the occurrence of some qi. Of 

course we do not guess qo, . . . , q m — > q' at once for space saving but rather guess 
each qi step by step. Because in succinct ordinal automata, we only specify the 
existence of states repeated infinitely often (as in generalized Biichi automata) , the 
second condition can be deleted in Fig. 

4-5. Optimal Complexity Upper Bounds 

We are now in position to characterize the computational complexity of satisfi- 
ability and model-checking problems. 

Theorem 3 For every k > 1, the satisfiability problem for LTL(cj fc ) is PSPACE- 
complete when the integers are encoded in unary and the problem is in expspace- 
complete when the integers are encoded in binary. 

The proof of Theorem can be found in Appendix El Another way to prove 
Theorem |21 suggested to us in |37| consists in showing that LTL with strict Since 
and Until over u>" -sequences is in pspace. Indeed, it is then possible to define 
concisely a formula tfi stating that the current position is a multiple of lu 1 for 
i G u>. Our operators and X" for some i > 1 are then definable as follows: 

i/;U w V ~ ip' V A i/O u (-W A #)) and ~ ((^) u (^ A VO)- Renaming of 

subformulae are necessary to guarantee that the translation can be performed in 
logarithmic space. It is however open whether for every countable ordinal a, LTL 
with strict Since and Until over a-sequences is in PSPACE. 

Complexity of the model-checking problem for LTL(w' c ) can be now fully char- 
acterized. 

Theorem 4 For every k > 1, the model- checking problem for LTL(w fc ) is pspace- 
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complete when the integers are encoded in unary and the problem is in expspace- 
complete when the integers are encoded in binary. 

The proof of Theorem 0] can be found in Appendix [H] and it is a slight variant 
of what exists for LTL. Theorem^ can be refined by admitting succinct ordinal 
automata as inputs of the model-checking problem. 

Theorem 5 For every k > 1, the model- checking problem for LTL(aj fc ) restricted 
to x-succinct ordinal automata of level k is PSP 'ACE- complete when the integers 
are encoded in unary and the problem is EXPSPACE- complete when the integers are 
encoded in binary. 

Hence, even if the system is defined succinctly, the worst-case complexity remains 
identical. The proof of Theorem [S] can be found in Appendix [I] 

5. Application: Control of Physical Systems 

In this section, we formalize the control problem of a physical system by a 
computer system by using ordinal automata and the logics LTL(w' c ). Even though 
it is the original motivation of our investigations on the logics LTL(a), at this point 
of the paper we have all the necessary definitions and results to state concisely the 
problem. Physical systems are often modelled by differential equations. Solving 
those equations can then involve computations of limits. For example, the law of 
movement of a bouncing ball implies that, when it is lifted-up, it will bounce an 
infinite number of times in a finite amount of time. It can be seen as a Zeno sequence 
of actions. We model a system by an ordinal automaton recognizing w fc -sequences. 
For instance, the law of movement of the bouncing ball corresponds to w 2 -sequences 
and the set of acceptable behaviors of the ball is modelled by a set of sequences 
of the same length io 2 . On the other hand, the controller is an operational model 
working on cj-sequences. 

Before stating the control problem, we need to give definitions about the way to 
transform an ordinal automaton of level 1 into an ordinal automaton of level k > 2 
that has relevant actions only on states in positions of the form uj k ~ 1 x n (lifting). 
As usual, LTL(uj k ) formulae can be viewed equivalently as ordinal automata of level 
k and we shall use these different representations depending on the context (see [3] 
for a similar standard treatment between formulae and automata). 

5.1. Lifting 

In order to synchronize the system S with a controller working on w-sequences, 
we need to transform the controller so that its product with S only constraints 
states on positions uj k ~ 1 x n, n € N. The other positions are not constrained. 
Definition 7 (Lifting) Let A = (Q, E, 6, E, 1, F, I) be an automaton of level 1 (the 
final states are the only states of level 1). We define its lifting lift k (A) at level k > 2 
to be the automaton (Q',T,,6',E',I',F,l') by: 

• Q' = ({0, . . . , k - 1} x (Q \ F)) U F, I 1 = {k - 1} x I, 

• l'(q) — k for q G F and q 1 )) = i, 
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. S'= {(k-l,q)^(0,q') : q^q'ES}U 

{{i, q) ^ (0, q) : < i < k, a E E, q & F} 
. E' = {{(0,q),...,(i-l,q)}^(i,q) : 1 < i < k, q E Q} U {{(0, . . . , (fc - 
1, 9i>, ■ ■ ■ , (0, q n ), ■ ■ ■ , (k - 1, q n )} -> q | . . . g„} 

Example. We present below an example of ordinal automaton A with limit 
transition {?0j <7ij 92} — * 13 and the corresponding automaton lift 2 (A) with limit 
transitions {{0,q )} -> (1,9b), {(0,«i)} -> (l,gi), {(0,g 2 )} -> (1,92), and 
{(0, g ), (1, go), (0, qi), (1, <?i), (0, g 2 ), (1, g 2 )} -> 

A UfhiA) 

E 




Proposition 5 For all w E ^ , w E L(lift k (A)) iff the word w' E defined by 
w'(i) = iu(u; fe_1 x i), is m L(.4). 

The proof of Proposition [S] can be found in Appendix \1\ 

5.2. The Control Problem 

Definition 8 (Physical system) A physical system S is modelled as a structure 
(A, Act c , Ado, Ad) where 

• A is an ordinal automaton of level k with alphabet 2^ c ^ where Act is a finite 
non-empty set of actions, 

• Ado Q Ad is the set of observable actions, 

• Adc C Ad * s the set of controllable actions. The set of uncontrollable actions 
is denoted by Adnc- 

A specification of the system S is naturally an LTL(w fc ) formula ip. A controller C 
for the pair (<S, ip) is a system whose complete executions are w-sequences (typically 
ordinal automata of level 1) verifying the properties below. 

• Only observable actions are present in the controller. Hence, thanks to the 
synchronization mode, in the product system between S and C, unobservable 
actions do not change the C-component of the current state. So, 
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(obs) the alphabet of C is 2 Act o and for every state q of C, there is a transition 



q -> q- 

• From any state of C, uncontrollable actions can always be executed: 

(unc) Vg ■ Va C Act \ Act c , there is a transition q — > q' in C such that 
6 n Act nc = a. 

• Finally, the system S controlled by C satisfies ip. Because S and C work 
on sequences of different length, the controlled system is in fact equal to 
lift k (C) Xy S for some set Y of synchronization vectors. S and C synchronize 
on observable actions: 

(syn) Y = {{X,X',X") G Act x ylrfo x ^ct : X n Act = X', X = X"}. 

This is equivalent to check the emptiness of the language of the product au- 
tomaton (cS Xy Uft k {C)) X A-,$. 

Hence, the control problem for LTL(cj fe ) is defined as follows: 

input: a system S = (A, Actc, Act , Act) with ordinal automaton A of level k and 
an LTL(w fc ) formula <f> over atomic formulae in Act. 

output: is there an ordinal automaton C of level 1 satisfying (obs) and (unc) and 
such that all the words of length uj k accepted by S Xy lift k (C) satisfy <j> with 
Y verifying (syn). 

It is worth noting that the lifting construction oversimplifies the physical syn- 
chronization between the system and the controller. Indeed, the fact that lift k (C) 
synchronizes with S every w fc ~ 1 step idealizes the ability of the controller. Assum- 
ing that C interacts with S at the steps < ati < cti < . . . with limi^, w a>i = uj k 
is more realistic. With the construction lift k (C), it is implicitly assumed that oti is 
precisely w fc_1 x i. 

The very complexity of the control problem is open (see related results in the 
recent |14j) but as a consequence of Theorem 0] we obtain the following result. 
Proposition 6 The problem of checking whether the language accepted by (S Xy 
lift k (C)) x A-,^ is non-empty, given a physical system S, a controller C and a 
specification i\) is decidable. 

We explained how to check that a controller is correct with respect to a specifi- 
cation, but we do not address here the controller synthesis issue. 

5.3. Example 

Consider the system is a bouncing ball |2l)j with three actions lift-up, bounce 
and stop, where only lift-up is controllable, and only stop and lift-up are observable. 
The law of the ball is described by the following LTL(a> 2 ) formula: 

4> = G" 2 {lift-up ^ ^(G" bounce A X" stop)) 
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G a tp is an abbreviation for -i(TU Q -np). Informally, <fi states that when the ball is 
lifted-up, then it bounces an infinite number of times in a finite time and then 
stops. An equivalent ordinal automaton A$ working on w 2 -sequences can be easily 
defined. The specification is given by the following LTL(w 2 ) formula: 

ip = G^X 1 bounce 

Informally, ip states that the ball should almost always be bouncing. 

A possible controller for this system is described by the following LTL formula: 

<p = lift-up A G^(stop lift-up) 

Informally, <p states that the controller should lift-up the ball at the beginning and 
then lift-up it again each time it stops. Similarly, an equivalent ordinal automaton 
A v working on w-sequences can be easily defined. 

6. Concluding Remarks 

We have introduced a family of temporal logics to specify the behavior of sys- 
tems by assuming that the sequence of actions is isomorphic to some well-ordered 
linear ordering (see the bouncing ball example in Section |3J). Our aim is to con- 
trol such physical systems by designing controllers that safely work on w-sequences 
but interact synchronously with the physical system in order to restrict their be- 
haviors. We have extended linear-time temporal logic LTL to a-sequences for any 
countable ordinal a closed under addition, by considering quantitative operators in- 
dexed by ordinals smaller than a. This is a new class of linear-time temporal logics 
for which we have shown that LTL(o; CJ ) is decidable by reduction to the monadic 
second-order theory <) and for every k > 1, LTL(w fc ) satisfiability problem 
is PSPACE-complete [resp. EXPSPACE-complete] when the integers are encoded in 
unary [resp. in binary] generalizing what is known about LTL. Our proof technique 
is inspired from |45| with significant extensions in order to deal with the interaction 
between arithmetics on ordinals and temporal operators. We have introduced a 
new class of succinct ordinal automata in order to fully characterize the complexity 
of the logics. The treatment of these aspects leads to the most difficult technical 
parts of the paper. Finally, the complexity results for satisfiability can be lifted 
to model-checking: the model checking problem for LTL(w fc ) is PSPACE-complete 
[resp. EXPSPACE-complete] when the integers are encoded in unary [resp. binary]. 

A lot of work remains to be done even though our logics working on w fe -sequences 
have been shown to admit reasoning tasks of complexity similar to that of LTL. 
Synthesis of controllers working on w-sequences on the line of Section \5\ is on the 
top of our priority list as well as the search for well-motivated examples where 
ordinals greater than lu 2 are needed. It is also natural to wonder whether LTL(w w ) 
satisfiability is an elementary problem and whether for every countable ordinal 
a, LTL(a) is decidable. Observe that the monadic second-order theory of every 
countable ordinal a is known to be decidable ^3] but this theory has no addition 
and we need it in some way in LTL(a) to deal with the operators X' 3 . Finally, LTL 
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is known to be initially equivalent to the first-order theory of (lu, <} by Kamp's 
theorem [33] and by the separation theorem |24|. Is LTL(w fc ) also initially equivalent 
to the first-order theory of (u k , <)? It is unlikely the case since by |3J, the future 
fragment of MLO over the class of ordinals does not have the finite base property. 
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Appendix A: Proof of Lemma IT1 

First suppose that a = w* 3 and take /3i < /?2 < ^ ■ The Cantor's normal form 
of Pi [resp. P2] is of the form w 71 ni + j[ [resp. w 72 ri2 + 7;j] with either 72 > 71 or 
"2 >ni- Hence, 

/3i + /3 2 < /3 2 + /? 2 < w 72 x n 

for some n > 1. Consequently, Pi + 02 < ^ 3 since oj 72 x n < uj 12+1 < oj 13 . 

Now suppose that the Cantor normal form of a is lo^ 1 .m + • ■ • + uj^ p .n p where 
p > 1 and n p ^ 0. The ordinals lo^ 1 .ni and uj^ 1 are strictly less than a, but their 
sum is strictly greater. □ 

Appendix B: Proof of Proposition^ 

By Lemma|21 it is sufficient to show that LTL(w w ) is decidable. We extend the 
standard translation from LTL into the monadic second order theory of (u, <} in 
order to translate LTL(oj w ) into the monadic second order theory of <) since the 
monadic second order theory of (a, <) for every countable ordinal a is decidable 
Theorem 4.12]. The main difficulty rests on the definition of a formula +p(x, y) for 
some (3 < such that <} \= v +p(x, y) with v : {x, y} — > w w iff v(y) = v(x)+(3. 
The relation \= v is the standard satisfaction relation under the valuation v. It is 
worth observing that addition is not present in the monadic second order theory 
of (u> u , <}. With the help of +p(x,y) we define a two-places map t(-, •) such that 
for any LTL(tj w ) formula <p built over the propositional variables pi, . . . ,p n , for 
any a : ^ -» 2^ 1 -- we have cr,0 |= </> iff <, P x , . . . , P„) K *(<Mo) with 
v(x ) = and for 1 < I < n, Pi = {f3 G uj^ : p x G a(j3)}. 

• t(p, x) = p(x), t(<p Aip,x) — t(4>, x) A t(tp, x), t(->4>, x) = ->t(<p, x), 

• t(X^,x) = By + (x,y)At(4>,y), 

• t(<f>1jPip, x) = 3 y y' +{3 (x, y') A (x < y A y < y') A t(ip, y) A (V z (x < z A z < 
I/) if/? <w". 

• t{4>^ip, x) = 3 y (x < y) A t(ip, y) A (V z (x < z A z < y) t((j>, z)). 

The formulae of the form +p(x, y) with f3 < u) u are inductively defined as follows: 
!• +o(a;,J/) = (a; = y), 

2. +1(2;, y) = \f z (z > x ^ y < z) A (x < y), 

3- + w fc„+^(a;, y) = 3 z + w /c (x, z) A + tJ k. {n _ 1)+p (z, y) (n > 1, k > 0), 

4. (a;, y) (fc > 1) is defined as 3 X (f>i A ■ ■ ■ A (p§ where the <^s are defined as 
follows. 

(a) (pi = V z z G X x < z, 

(b) (P 2 = V z, z' (z G X A (2, «')) 

(c) 03 = 3 z z G X A + LU k-i(x, z), 

(d) </>4 = V z z G X =>• z < y, 
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(e) 5 = V z (V z' (z 1 eX^z' <z))^y< z, 

(f) 6 = V X' (X' C X) <\q V 0J where the 07s are defined as follows. 

i. ^=^(V z,z' (z e X' A+ wk -i (z,z')) ^ z' G X'), 

ii. 03 = -i(3 z z <E X' A +ujk-i (x, z)). 

It is not difficult to show that the definition of +/3(x, y) with (3 < uj^ is correct since 
the recursive steps involve only ordinals strictly less than p. Some explanations 
are in order. In (4.), the variable X is enforced to be interpreted as the set {7 + 
a; , 7 + uj 1 x 2, 7 + uj k ~ 1 x 3, . . .} where the variable x is interpreted by 7. The 
value of y is then the limit of this set. By satisfaction of 04 and 05, y is interpreted 
as the least upper bound of {7 + ui x , 7 + bj k ~ x x 2, 7 + u k ~ 1 x 3, . . .} which is 
precisely 7 + oj k . The formula 06 states that X is interpreted as the smallest set 
satisfying the formula 0i A 02 A 03. □ 

Appendix C: Proof of Lemma |5] 

Lemma IC . II below states a useful property about Hintikka sequences. 
Lemma C.l Let p : uj k — ^ 2 cl ^ be a Hintikka sequence for 0. For all {3 < uj k and 

x' 3 >ed(0), x^VepCS) iffipep(f3 + p>). 

Proof. By using (hin3), it is easy to show by induction that for all j3" < (3', 
jfip G p{J3) iff X^'-^'V G p(/3 + /?")• Hence, V € + /?')■ □ 



The proof of the lemma is by induction on the structure of ip. The base case 
with propositional variables and the cases with Boolean operators in the induction 
step are by an easy verification. 

Case 1: ip = X ' ip with 0' > 

By Lemma ICTTl ip G p{[3) iff ip G p((3 + (3'). By induction hypothesis, <p G p(/3 + /?') 
is equivalent to a, (3 + (3' \= ip which is equivalent to cr, (3 \= ip by definition of |=. 

Case 2: tp = ipi^ 13 ' tp 2 

The propositions below are equivalent: 

1. ^gpOS), 

2. there is /3 < 7 < /3 + (3' such that ^2 G p(j) and for every (3 < 7' < 7, 
^1 G p(Y) (by (hin4)) 

3. there is (3 < 7 < (3 + f3' such that cr, 7 |= V2 and for every (3 < 7' < 7, 
cr, 7' |= V'l (by induction hypothesis) 

4. a,(3\=ip (by definition of (=). 

□ 

Appendix D: Proof of Lemma [7| 
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We show that the set of sequences p : tu k — > 2 cL ^ obtained from accepting runs 
r : uo k + 1 — > Q of ^ as described below is precisely the set of Hintikka sequences 
for (p. p is defined from r as follows: for every a < uo k + 1, p(a) = X where 
r(a) = (X,tail(a)). 

(I) First, we show that if r : uo k + 1 — > Q is an accepting run, then p is an Hintikka 
sequence for <f>. Satisfaction of (hinl) and (hin2) is immediate. 

(hin3) We want to show that for all a < uj k , X a 'ip G cl{4>) and < n < k such that 
a' > u n , X a 'ip G p{a) iff X"'""" V G p(a+w n ). When n = 0, the property is satisfied 
thanks to (A3) in „4^. Otherwise suppose that X a ip G p(a) and a' > u n with n > 1. 
We can show by transfinite induction, that for every /3 < w™, X a ip G p(a + (3). The 
base case /3 = is obvious. In the induction step with (3+1 < uj n , (A3) guarantees 
that X a ip G p(a + (3) implies X a ip G p(a + /3 + 1) since a' — 1 = a' (remember 
a' > u>). Now suppose f3 is a limit ordinal strictly smaller than u) n and for every 
(3' < f3, X Q > G p(a + (3'). By (A5), X a '-^" lW) iP G p(a + /?). Since (3 < tu n and 
a' > iu n , a' - iu taU W = a'. So, for every (3 < w", X a > G p(a + (3). By (A5), we 
obtain X" 1 ip G p(a + uj n ). 

Now suppose that X" ip G p(a + u) n ) with a' > u) n and n > 1. So there is 
a limit transition Z — > (p(a + w n ),n) such that for every (Y, n') G X" ip G F. 
Since Z = inf(a + ut n , r), there is a < (3 < a + oj n such that X" ip G p((3). We can 
now show that for every a < (3' < (3, X" ip G p(/3')- This can be proved as above by 
observing that for such (3' , tail((3') < n and therefore a' — m tml ^ ) = a'. 

(hin4) We show that for all a < tu k and ipiU a 'ip 2 G cl (</>), (A) ipi\J a 'ip 2 G p(a) iff 
(B) there is a < a" < a + a' such that ip 2 G p(a") and for every a < (3 < a", 
V>i G p(/3). 

If sum(a') = or a' = 1, then the proof is immediate since p(a) satisfies (mc5) 
and (mc8), respectively. 

The proof is by induction on sum(a') with obvious base case sum(a') = 0. 

Base case 1: sum{a') = 1. 

Suppose a' = u N for some 1 < N < k. 

Proof of "(A) implies (B)". 
The proof is by induction on N. 
Case 1: N= 1 ( "LTL case"). 

Suppose ip^ip 2 G p{a). If V'lU 1 ^ G p(a), then (B) trivially holds. Otherwise, 
ipi, I. 1 (ipiXS'* 1 ip 2 ) G p(a) and by (mc5) V'lU ^ ^ p(« + ^)- By definition of limit 
transitions, there isa<a + i<a + uj such that r(a + i) G P-^^^ with i > 0. 
Take the minimal z satisfying this property So for every < j < i, -0iU w V2, ^ip2 G 
p(a + j). 

Suppose that ipiU"^ ^ p{a + i) and not V2 G p(a + i). If z = this leads 
immediately to a contradiction. Otherwise, by (mc6) i/'iU"^, ^ip2 G p(a + (i — 1)) 
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implies X 1 ( , 0iU"V'2) G p(a+(i— 1)) which is in contradiction with 011F02 $ p(a + i). 
So ■02 G p( a + By (mc6), for every < j < i, 0iU"02, ^02 G p(« + j) implies 
0i € /o(a + j). Hence, for every < j < i, 0i G /o(a + j) and 02 G + So (B) 
holds true. 
Case 2: N > 1. 

Suppose i>iV" N ip2 G If there is AT' < AT such that ^lU^ 2 e /9(a), then 

by induction hypothesis, (B) holds true. Otherwise, let us treat the case when for 
every N' < N, 0iU w 02 ^ p( a )- Since 0iU°02 ^ p(a + u N ), there is a* such that 
a < a + a* < a + and r(a + a*) (~l P^ lX j" N ti> 2 ^ s non-empty. Take a* to be the 
minimal such an ordinal. It exists since the set of ordinals is well-ordered. 
Case 2.1: 2 G p{a + a*). 

N 

By minimality, for every a < (3 < a + a*, 0iU w 02,^02 € p(P)- By (mc6), for 
every a</3<a + a*,0i£ p(/3). So (B) holds true. 
Case 2.2: 2 & p(ot + a*). 

Consequently, 0iU w 02 ^ p{ot + a*) since r(a -I- a*) (~l P^ lX s" N ti) 2 ne Q®- We shall 

show that this case leads to a contradiction. 

Case 2.2.1: a + a* is a successor ordinal, say a* = «q + 1. 

Since 0iU" 02, _| 02 G p(a + ajj) by minimality, satisfaction of (mc6) implies 

X 1 (0iU w 2 ) G p(a + a*). 

Hence, 0iU wJY 2 G p(a + + 1), a contradiction. 
Case 2.2.2: a + a* is a limit ordinal. 

There is a limit transition Z — > r(a + a*) such that inf(a + a*,r) = Z. Since 
ujN _ UJ taii( a *) = ( a * < and ^u^^ + there is (Y, n') G Z such 
that (y, n') G P^xs^ jb 2 - As inf(a + a*, r) — Z , there is a < /3 < a + a* such that 
r(/3) G P^yuiXt \h 2 i a contradiction by minimality of a + a*. 

Proof of "(B) implies (A)" (in Base case 1). 

We show a bit stronger property: for all a < uj k , 0iU a 02 G cl((f>) and < a" < a' , 
if 0iU Q _a 02 G p(a + a") and for every < 7 < a", 0i G p(a + 7), then 
0iU a '02 G p(a). By Lemma I3III), we know that 0iU Q '- Q "02 G d(0). So if 
(B) holds true, that is, there is < a" < a' such that 02 G p(a + a") and for 
every < (3 < a", 0i G p(a + (3), then 0iU Q 2 G p(a). Indeed, by (mc8), 
0iU 1 2 G p(a + a") and by (mc7), 0iU Q '~ Q "02 G p(a + a"). 
The proof is by structural induction on a" . 
Base case 2: a" = 0. 
Immediate. 
Induction step 2. 

We distinguish two cases depending whether a" is a limit ordinal or not. 
Case 1: a" = a* + 1. 

Since a' — (a* + 1) = (a' — a*) — 1 and by hypothesis, 0i G p(a + a*) and 
X 1 (0iU( a '^ Q *'~ 1 02) G p{a + a*). By (mc6), 0iI0 q/ - q *>02 G p(a + a*) and by 
induction hypothesis, 0iU Q 02 G p(a). 
Case 2: a" is a limit ordinal (tail {a") > 1). 
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Suppose that a" = a* + u; tatl ( a ) x n for some n > 1. There is a limit transi- 
tion Z — > (r(a + a"), tail (a")) in ^ such that inf(a + a",r) = Z. By (mc4), 
xO^iU"'-""^) G p(a + a"). By (A5), for every (Y, n') G Z, 

x- to< ' (< *" ) (ViU a '- a 'V 2 )eK 

Since in/ (a + a", r) = there is /3 > a* + w toi '( a ) x (n — 1) such that for every 
/3 < 7 < a", r(a + 7) G Z. Hence, for every /3 < 7 < a", j? taili °'" ) (fatf*' ~ a " fo) G 
p(a + 7). Since (A) implies (B) and by hypothesis, for every (3 < 7 < a", 
ipi G p(a + 7), we have that for every /3 < 7 < a", n(Tlf'"' ( ° ~<ipi) G p(a + 7). So 
by (mc6), >+ ( a ~ Q 'V2 £ p(a + 7) for every (3 < 7 < a". Since for every 

/3 < 7 < a", 7 + w tm/ ( Q ") = a", we have uj tail(a '"> + (a' - a") = a' - 7. Hence, for 
every /3 < 7 < a", ViU" ~ J ip2 G p(a + 7)- In particular, ViU" _/3 V'2 G p(a + (3). By 
induction hypothesis, ^£>iU a V2 G p(a). 

Induction step 1: sum(a') > 2. 
By (mc6), ViU Q 'i/>2 G p(a) iff 

N 

• either V'lU" ^2 G p(a), 

• or ^(TU wJV ^Vi),X wlV (^iU Q '- wlV ^2) G p(a) 

where AT = head(a'). Since sum{uj N ) < sum(a') and sum(a' —uj n ) < sum(a'), by 
induction hypothesis we obtain that either there is a < a" < a + oj N such that ip2 G 
p(a") and for every a < (3 < a", ipi G p{(3) or for every a < (3 < a + uj n , -0! G p(/3) 
and X a,N (V>iU a '- a,iV '!/'2) G /9(a). Since p satisfies (hin3), X^ (^iU"'-"" ip 2 ) G p(a) 
iff (V'iU" ~" V2) G p(c* + w )• By induction hypothesis, we obtain that for every 
a < (3 < a + uj n , ipi 6 p{(3) and X"™ (V^U"'^™ ip 2 ) G p(a) is equivalent to: for 
every a < (3 < a + u N , ipi G p(/3) and there is a + uo N < a" < a + a' such that 
1P2 G p(a") and for every a + uj n < (3 < a", tpi £ p{(3)- Hence, (B) holds true. 

(II) Now we show that for every Hintikka sequence p for </>, the sequence r : uj + 1 — > 
Q defined by r(a) = (p(a), tail(a)) is an accepting run of A$. For technical reason, 
suppose also that r(iv k + 1) takes an arbitrary value of the form (X, k). Observe 
that 

• (p(0),0) £ I since G p(0) by (hinl), 
. (p(w fe ),fc) GF, 

• for every < a < uo k , (p(a),tail(a)) — > (p(a + 1), 0) since p satisfies (hin3). 

The only property that really deserves to be checked is that for every limit ordinal 
a, inf(a,r) — > (p(a),tail(a)} is a valid limit transition of We write a = 

a* + (jj tall ( a ) x n for some n > 1. Since a is a limit ordinal, we also have tail(a) > 1: 
condition (A6) is satisfied. 
Observe that 

inf(a, r) C {r{(3) : a* + tu tml ^ x (n - 1) < (3 < a}. 
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So for every (Y, n') G inf(a,r), n' < n — 1: condition (A4) is satisfied. 
Since 

{r(a* + tu tml ^ x (n - 1) + w" 1 ^"^ 1 x t) : i > 0} 

is finite, there is m > such that r(a*+c<j tad ( a ) x (n-l)+w tal ^ Q ^ 1 xm) G inf(a, r): 
condition (A8) is therefore satisfied. 

Let (i be such that a* + w tMi («) x (n - 1) < /3 and r(/3) G inf(a,r). We have 
/3 + w toi K«) = Q an d by satisfaction of (hin3), for all a' > u tail{a ^ and X Q > G d{4>), 
X a 'ip G p(/3) iff x a '-' J '°*' < °V g p(a). Hence, condition (A5) is satisfied. 
It remains to check that condition (A9) holds true. Let (3 be such that a*+Lu tal1 ^ x 
(n - 1) < P and r((i) G m/(a, r), a' be such that a 1 > uj tail ( a ) and ipiU a 'ip 2 € cZ(0). 
Since r(/3) G inf(a, r), there is a countable family of ordinals (Pi)ieN such that 

• for every i > 0, 

- rift) = r(/3), 

- A < /3 i+ i < a. 

• for every 7 such that a* + u tall ( a ) x (n — 1) < 7 < a, there is j > such that 

By satisfaction of (mc6), ip\\S a ip 2 G p{(3) iff either 

V>iU w ™V>2 Gp(/3), or 

^(TU- taa(a, ^ 1 ),X- tai!(a) (^U a '- ta<i(a V2) G 
Suppose that i/iiU"'^""'* ' 02 ^ By satisfaction of (A5), we get 

So ViU a > 2 G p(/3) iff ViU w * aii(a V2 G p(/3). If 0iU"V 2 £ then r(/3) G i^^. 
Otherwise, for every i > 0, 0>iU" 02 G and therefore for every i > 0, 

0iU w ( '-02 G p{fii)- Since for every i > 0, /3j + u/ ad ( Q ) = a, by satisfaction 
of (hin4), we obtain that for every i > 0, there is /3j < $ < a such that -02 G p((3'i)- 
So there is a family of ordinals (/3j.)ieN such that 

• $ o = $ for some I > 0, 

• for every i > 0, 

- r(p' ti ) = r(ft), 

- P'u < 0t i+1 < «■ 

• for every 7 such that a* + w tall ( a ) x (n — 1) < 7 < a, there is j > such that 
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Consequently, r{(3[) 6 in./ (a, r) and ip 2 & r (fli), which means that r([3[) €E P^ lV oc'^ 2 - 
Hence, condition (A9) is satisfied. □ 

Appendix E: Proof of Lemma 151 

The expspace upper bound can be obtained by designing an obvious exponen- 
tial space translation into LTL which is known to be PSPACE-complete 02] • Indeed, 

n times 

1. X"0 is equivalent to X ■ • • X cf>, 

2. </>iU"</> 2 is equivalent to </>iU</>2, and 

3. <fii~U n <f)2 (n > 1) is equivalent <p2 V (<fii AX(</>iU n-1 </>2)) and 0iU°02 is equivalent 
to 1. 

In order to show the expspace lower bound, we present a reduction from the 2™- 
corridor tiling problem that is EXPSPACE-complete, see 03] an d references therein. 
A tile is a unit square of one of the several tile-types and the tiling problem we 
considered is specified by means of a finite set T of tile-type (say T = {tx, . . . , ti}), 
two binary relations H and V over T and two distinguished tile-types tinit , t final £ 
T. The tiling problem consists in determining whether, for a given number n in 
unary, the region [0, . . . , 2" — 1] x [0, . . . , k — 1] of the integer plane for some k can 
be tiled consistently with H and V, U n i t is the left bottom tile, and tfi na i is the 
right upper tile. 

Given an instance / = (T, U n i t , tfi na i, n) of the tiling problem, we build a formula 
4>i such that / = (T,ti n it,t fi n<1 i iri) has a solution iff 0/ is LTL(w) satisfiable. For 
t G T, we introduce the propositional variable p t . Additionally, we introduce the 
variable p en d stating that the end of the tiling plane is reached and Pnewiine stating 
that a new line starts. The formula (pi is the conjunction of the following formulae: 

• The region of the integer plane for the solution is finite: 

^Pend A ( — *PendS^ {jpnewline 

• There is exactly one tile per element of the plane region: 

G^hPend \/(P* A A "**))■ 

• Constraint on the right upper tile: 

pUJ (Pt flnal AXVend)- 

• Constraint on the left bottom tile: 

Pnewiine A Pti n n ■ 

• New line: 

G {Pnewiine ^-^ X Pnewiine^) A X ~~ '(TU Pnewiine*) 
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Horizontal consistency: 

not the last clement of a row 



G"(( (^Pnewline) ^Pend) f\(pt V X W,.))- 

t£T (t,t hor )eH 

Vertical consistency: 

not on the last row 



^{/\{Pt A -p e „ d A F w (X 1 ^ end A Y} PnewU ne)) => V x2 "Pt^ )■ 

t€T {t,t V er)eV 

One can show that the instance / = (T, ti n u, t fi na i, n) has a solution iff is LTL(oj) 
satisfiable. □ 

Appendix F: Proof of Lemma 1121 

Let r be a run of length ui k (r(0) G I). There is a rule P ^ q' E E such that 

• l[q') = k' and r(w fc ) = q' (by Lemma ITOft . 

• inf(cu k ,r) = P, 

• there is n > such that P = {q E Q : (3 > w fe _1 x n, r{(3) = q}. 

Lu k _1 x n is the ordinal after which all states r(/3) with /? > uj k _1 x n occurs infinitely 
often. Suppose there exist ni,ri2 > such that n\ < n-i < n and r(u> k _1 x ni) = 
r(uj k _1 x ri2). Then r 1 defined below is also a run of length ui k with r'(0) € /: 



for every (3 < uj xni, r'(/3) = ?"(/?)• 

• for every (3 > uj k _1 x m such that its normal form is ui k _1 x +7, r'((3) = 
r(w fc ' _1 x (n^ + (n 2 - «i)) +7)- We still have P = {q E Q : (3 > u> k ~ x x (n — 
(n 2 -m)), r'(/3) = g }. 

By applying this transformation an adequate number of times (at most n times), 
we can assume that n < \Q\ and we fix K = n. 

Now we shall define K' . Assume that P — {qo, . . . ,q s }. We order the members 
of P by decreasing level and the states with identical level are arbitrarily ordered. 
We introduce for technical reasons an artificial state q s +i equal to qo. Without any 
loss of generality, we can assume that r(oj k _1 x n) = qo. We define 

• a family (jii)o<i< s +i of natural numbers such that < n^+i — n, < \Q\, 

• families ((3i)o<i< s +i and (f3' i )o<i<s+i of ordinals smaller than ui k such that 
the normal form of (3i is cu k _1 x rii + f3[. 

The base case i = is defined as follows: f3o — Lo k _1 x n, no = n and f3' Q = 0- 
Then, let us define Uj+i, and (3' i+1 assuming that n^, f3i and (3^ are already 

defined. Since inf(ui k ,r) = P and 6 P, there is > ui k _1 x n, such that 
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r(/3j_|_i) = qi+i and fa+x = w fe 1 x n^+i + /3- +1 . By applying a reasoning similar to 
the one showing that K < \Q\, we can assume that n i+ i — < \Q\. 

Consequently, there are families (ni)o<»< s +i, (A)o<i<s+i and (/3-)o<i<s+i such 
that for every i £ {0, . . . , s + 1} 

• < rii + i — rii < \Q\ for every < i < s. 

Hence n s+ i — uq < \Q\ 2 . We fix K' = n s +i — no- Then r' defined below is also a 
run of length uj k (r(0) G I): 

• for every (3 < uj*'- 1 x (K + K'), r'((3) = r(j3). 

• for every (3 > uj k ~ 1 x (K + K') such that its normal form is Lu k _1 x n' + 7, 
r'(/3) = r(cj fc ' _1 x (K + m) + 'y) with n' — K =k> m for some < m < K' — 1. 

Observe that P = {q : K < (3" < K + K', r'[j3") = q}. Hence r' satisfies the 
properties stated in Lemma IT^l □ 

Appendix G: Proof of Theorem [3] 

In the unary case, the PSPACE lower bound is a consequence of the PSPACE- 
hardness of LTL 021 whereas in the binary, EXPSPACE-hardness is a corollary of 
Lemma |H1 

As far as the upper bound is concerned, in the unary [resp. binary] case, A'^ is 
of size exponential [resp. doubly exponential] in \<p\ and requires only polynomial 
[resp. exponential] space to be built. By adapting the proof of [HI Corollary 3.36] 
and by considering Corollary and Lemma we obtain that given (f>, testing the 
emptiness of L^^) can be done in PSPACE [resp. expspace]. □ 

Appendix H: Proof of Theorem [I] 

We show EXPSPACE-completeness with the binary encoding, the proof of the 
PSPACE-completeness with unary encoding being quite similar. 

In order to establish, EXPSPACE-hardness, let us consider a deterministic Turing 
machine M — (S, Q, qo, 5) with transition function 6 : Q X £ — ► Q X S X {— 1, 0, 1}. 
Q contains the special states for acceptance (called accept here), rejection and 
halting. Similarly, we assume that the alphabet £ contains the blank symbol blank 
and the left marker t>. Finally, we assume that once the machine enters in the 
acceptance state, it loops on it without moving the read/write head and without 
changing the tape content. In order to show EXPSPACE-hardness, we suppose that 
M runs in space 2" with n the size of the input for some K > 1. 

Let £' be the new alphabet S x {Q x S) for the automaton A below: 
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with unique limit transition {0} — ► 0. The ordinal automaton A recognizes all 
the a-sequences a — > £' and in particular all the sequences uj k — ■> S. 

Let x = x\, . . . ,x n be an input over the alphabet S \ {>, blank}. The conjunc- 
tion <j> of the formulae below encodes the existence of an accepting run of M on 
input x so that A \= <j> iff M has an accepting run on input x. The formula <f> is the 
conjunction of the formulae below. 

• Input word is x: 

K 

> A X 1 (go, X\) AX 2 x 2 A... AX n x n A X n G 2 ""blank. 

• Reaching accepting configuration: 

F"( Y (accept, a)) 

• Updating configuration ("the head is far away"): 

G w ( /\ (sAX^AX^^X^+'t). 

o,6,ceS 

• Move of the head to the right: 

G w ( /\ (aAX 1 ( g ,6)AX 2 c) ^X 2 " K aAX 2 " K + 1 6'AX 2 " K+2 ( g , ,6'))- 

a.b,c,q,S(q,b) — (q' ,b' ,1) 

• Similar formulae for the move to the left and for no move. 

Now, let us show that model-checking for LTL(w fe ) is in expspace by reducing 
model-checking to satisfiability in logarithmic space. Let A = (Q,T,,S,E,I,F) be 
an ordinal automaton and <j> be an LTL(w fc ) formula such that S is a subset of 
2 Ap W) and AP(0) is the set of propositional variables occurring in <f>. Let A' = 
(Q', £', 5', E', I', F') be the ordinal automaton below: 

• Q' = Qx {0,...,fc}, £' = £, 

• I' = I x {0}, F' = Fx {k}, 

• (q, i) ^ (q\ i')E5' U q^q' E 6, i' = 0, 

• P - G £7' @ i > 0, mazfj : (<?', j) G P} = i - 1 and {q' : (q',j) G 
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This stratification of the states in A' guarantees that ~L(A') = L(-4) n£ ClJ . Observe 
that card(£") is less than card(E') x card(Q) fe which is still polynomial (k is hxed). 
Hence, A 1 can be computed in logarithmic space in |„4|. Now let us encode the 
accepting runs of A' by an LTL(w fc ) formula 4>A' that is a conjunction of the formulae 
below over the propositional variables in AP(</>) U Q'. For a 6 E, by the formula a 
we mean f\ pea p A A pe{AP{lp) \ a) ^P- 

• Initial state: 

gel' 

• Final state: 

V (/\G U VV)A( /\ ^G"VV) 
p^ q eE', q eF> q'eP q'e(Q'\P) 

• Any position is labelled by a unique state: 

qEQ' q'=jtq 

• Any position is labelled by a letter in E: 

^ \Ja 

• One-step transitions: 

G^( f\ qAa^ \f X 1 ?') 

qeQ',aeX q^q>e5> 

• For each set of states P with limit transitions P — > . . . ,P — » (qN,i) 
and i > 0, we have: 

G" fc (( /\ G w! F w 'q')A( /\ -G" ! F"'g')^X UJ '(qiV...Vq A r)) 

f'ef s'e(Q'\-P) 

We have .4 |= iff </u' A is LTL(w fc ) satisfiable, whence the expspace upper 
bound. □ 



Appendix I: Proof of Theorem [5] 

In order to establish Theorem we first show the lemma below. 
Lemma 1.1 The class of languages recognized by x-succinct ordinal automata of 
level k is closed under intersection. 
Proof. 

Let A\ = (Qi,E,5i,^i,/i,Fi,Zi) and A' = (Q2,'E, $2, E 2 , h, F2J2) be x-succinct 
ordinal automata of level k over the alphabet E. We define the intersection x- 
succinct ordinal automaton A — (Q, E, 6, E, I, F, I) as follows: 
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• Q = Qi X Q a , I = h X I 2 ,F = F x X F 2 . 

• (91,92) (9i,92) e 5 iff 9i 9i S £1, and q 2 q' 2 e $2- 

• For every (P , -Pi, • ■ ■ , Pn, 9) £ Si and (R ,Ri, . . . , R m , q) G E 2 such that 
h(q) = h{q'), (P^Pi,...,P^R^R 1 ,...,R , m ,{q,q')) S £ with 

- P; = {b')£0:r6P,/eft, i 1 (r) = Z 2 (r')}, 

- iZj = {(r,r') e g : r' e i?,,r e Qi, Z x (r) = Z 2 (r')}- 

Observe that n + m < \Q\. 

The automaton .A can be viewed as the synchronized product between A\ and A 2 
and h(A) = h{Ai) D L(A 2 ). □ 



Hardness is by an easy verification from the complexity of the standard com- 
plexity results for the model checking fo LTL(w fc ). 

As far as the upper bound is concerned, in the unary [resp. binary] case, A x A'^ 
is of size exponential [resp. doubly exponential] in and requires only polynomial 
[resp. exponential] space to be built, see Lemma ITT1 By adapting the proof of [HJ 
Corollary 3.36] and by considering Corollary [21 and Lemma0 we obtain that given 
an cc-succinct ordinal automata A of level k and a formula <f> in LTL(w fc ), testing 
the emptiness of A x A'^ can be done in PSPACE [resp. expspace]. □ 

Appendix J: Proof of Proposition |5] 

The proof is by an easy verification by observing that q — > q' in A iff there is 
a path r : u) k ~ l + 1 -s- Q in lift k (A) such that r(0) = (k - 1, q), r(l) = (0, 9') and 
r(u k - x ) = (k- l,q'). □ 
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